Additional checks for ansible dry-run (--check) mode

This commit is contained in:
Anton Nerozya 2017-05-29 12:43:26 +02:00
parent 5364a10033
commit 12281912a2
13 changed files with 37 additions and 3 deletions

View file

@ -61,11 +61,12 @@
force: "{{item.force|default(omit)}}" force: "{{item.force|default(omit)}}"
state: present state: present
register: docker_task_result register: docker_task_result
until: docker_task_result|succeeded until: docker_task_result|succeeded or ansible_check_mode
retries: 4 retries: 4
delay: "{{ retry_stagger | random + 3 }}" delay: "{{ retry_stagger | random + 3 }}"
with_items: "{{ docker_package_info.pkgs }}" with_items: "{{ docker_package_info.pkgs }}"
notify: restart docker notify: restart docker
ignore_errors: "{{ ansible_check_mode }}"
when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) and (docker_package_info.pkgs|length > 0) when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) and (docker_package_info.pkgs|length > 0)
- name: check minimum docker version for docker_dns mode. You need at least docker version >= 1.12 for resolvconf_mode=docker_dns - name: check minimum docker version for docker_dns mode. You need at least docker version >= 1.12 for resolvconf_mode=docker_dns
@ -85,3 +86,4 @@
state: started state: started
with_items: with_items:
- docker - docker
ignore_errors: "{{ ansible_check_mode }}"

View file

@ -127,6 +127,7 @@
dest: "{{cert_tempfile.stdout}}" dest: "{{cert_tempfile.stdout}}"
owner: root owner: root
mode: "0600" mode: "0600"
ignore_errors: "{{ ansible_check_mode }}"
when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
inventory_hostname != groups['etcd'][0] inventory_hostname != groups['etcd'][0]
@ -135,6 +136,7 @@
no_log: true no_log: true
changed_when: false changed_when: false
check_mode: no check_mode: no
ignore_errors: "{{ ansible_check_mode }}"
when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
inventory_hostname != groups['etcd'][0] inventory_hostname != groups['etcd'][0]
notify: set secret_changed notify: set secret_changed
@ -143,6 +145,7 @@
file: file:
path: "{{cert_tempfile.stdout}}" path: "{{cert_tempfile.stdout}}"
state: absent state: absent
ignore_errors: "{{ ansible_check_mode }}"
when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
inventory_hostname != groups['etcd'][0] inventory_hostname != groups['etcd'][0]
@ -181,6 +184,7 @@
dest: "{{ ca_cert_path }}" dest: "{{ ca_cert_path }}"
remote_src: true remote_src: true
register: etcd_ca_cert register: etcd_ca_cert
ignore_errors: "{{ ansible_check_mode }}"
- name: Gen_certs | update ca-certificates (Debian/Ubuntu/Container Linux by CoreOS) - name: Gen_certs | update ca-certificates (Debian/Ubuntu/Container Linux by CoreOS)
command: update-ca-certificates command: update-ca-certificates

View file

@ -11,6 +11,7 @@
retries: 4 retries: 4
delay: "{{ retry_stagger | random + 3 }}" delay: "{{ retry_stagger | random + 3 }}"
changed_when: false changed_when: false
ignore_errors: "{{ ansible_check_mode }}"
#Plan B: looks nicer, but requires docker-py on all hosts: #Plan B: looks nicer, but requires docker-py on all hosts:
#- name: Install | Set up etcd-binarycopy container #- name: Install | Set up etcd-binarycopy container

View file

@ -36,6 +36,7 @@
name: etcd name: etcd
state: started state: started
enabled: yes enabled: yes
ignore_errors: "{{ ansible_check_mode }}"
when: is_etcd_master and etcd_cluster_setup when: is_etcd_master and etcd_cluster_setup
# After etcd cluster is assembled, make sure that # After etcd cluster is assembled, make sure that

View file

@ -34,6 +34,7 @@
- name: "Pre-upgrade | remove etcd-proxy if it exists" - name: "Pre-upgrade | remove etcd-proxy if it exists"
command: "{{ docker_bin_dir }}/docker rm -f {{item}}" command: "{{ docker_bin_dir }}/docker rm -f {{item}}"
with_items: "{{etcd_proxy_container.stdout_lines}}" with_items: "{{etcd_proxy_container.stdout_lines}}"
ignore_errors: "{{ ansible_check_mode }}"
- name: "Pre-upgrade | see if etcdctl is installed" - name: "Pre-upgrade | see if etcdctl is installed"
stat: stat:
@ -45,11 +46,12 @@
register: etcd_member_list register: etcd_member_list
retries: 10 retries: 10
delay: 3 delay: 3
until: etcd_member_list.rc != 2 until: etcd_member_list.rc != 2 or ansible_check_mode
run_once: true run_once: true
when: etcdctl_installed.stat.exists when: etcdctl_installed.stat.exists
changed_when: false changed_when: false
failed_when: false failed_when: false
ignore_errors: "{{ ansible_check_mode }}"
- name: "Pre-upgrade | change peer names to SSL" - name: "Pre-upgrade | change peer names to SSL"
shell: >- shell: >-
@ -57,3 +59,4 @@
awk -F"[: =]" '{print "{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses | regex_replace('https','http') }} member update "$1" https:"$7":"$8}' | bash awk -F"[: =]" '{print "{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses | regex_replace('https','http') }} member update "$1" https:"$7":"$8}' | bash
run_once: true run_once: true
when: 'etcdctl_installed.stat.exists and etcd_member_list.rc == 0 and "http://" in etcd_member_list.stdout' when: 'etcdctl_installed.stat.exists and etcd_member_list.rc == 0 and "http://" in etcd_member_list.stdout'
ignore_errors: "{{ ansible_check_mode }}"

View file

@ -4,6 +4,7 @@
url: http://localhost:8080/healthz url: http://localhost:8080/healthz
register: result register: result
until: result.status == 200 until: result.status == 200
ignore_errors: "{{ ansible_check_mode }}"
retries: 10 retries: 10
delay: 6 delay: 6
when: inventory_hostname == groups['kube-master'][0] when: inventory_hostname == groups['kube-master'][0]

View file

@ -28,6 +28,7 @@
until: scheduler_result.status == 200 until: scheduler_result.status == 200
retries: 60 retries: 60
delay: 5 delay: 5
ignore_errors: "{{ ansible_check_mode }}"
- name: Master | wait for kube-controller-manager - name: Master | wait for kube-controller-manager
uri: uri:
@ -36,6 +37,7 @@
until: controller_manager_result.status == 200 until: controller_manager_result.status == 200
retries: 15 retries: 15
delay: 5 delay: 5
ignore_errors: "{{ ansible_check_mode }}"
- name: Master | wait for the apiserver to be running - name: Master | wait for the apiserver to be running
uri: uri:
@ -44,3 +46,4 @@
until: result.status == 200 until: result.status == 200
retries: 20 retries: 20
delay: 6 delay: 6
ignore_errors: "{{ ansible_check_mode }}"

View file

@ -5,6 +5,7 @@
- name: Copy kubectl from hyperkube container - name: Copy kubectl from hyperkube container
command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp /hyperkube /systembindir/kubectl" command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp /hyperkube /systembindir/kubectl"
register: kube_task_result register: kube_task_result
ignore_errors: "{{ ansible_check_mode }}"
until: kube_task_result.rc == 0 until: kube_task_result.rc == 0
retries: 4 retries: 4
delay: "{{ retry_stagger | random + 3 }}" delay: "{{ retry_stagger | random + 3 }}"
@ -23,6 +24,7 @@
group: root group: root
mode: 0755 mode: 0755
when: ansible_os_family in ["Debian","RedHat"] when: ansible_os_family in ["Debian","RedHat"]
ignore_errors: "{{ ansible_check_mode }}"
tags: [kubectl, upgrade] tags: [kubectl, upgrade]
- name: Write kube-apiserver manifest - name: Write kube-apiserver manifest

View file

@ -45,7 +45,7 @@
- name: "Pre-upgrade | etcd3 upgrade | use etcd2 unless forced to etc3" - name: "Pre-upgrade | etcd3 upgrade | use etcd2 unless forced to etc3"
set_fact: set_fact:
kube_apiserver_storage_backend: "etcd2" kube_apiserver_storage_backend: "etcd2"
when: old_data_exists.rc == 0 and not force_etcd3|bool when: not old_data_exists|skipped and old_data_exists.rc == 0 and not force_etcd3|bool
- name: "Pre-upgrade | etcd3 upgrade | see if data was already migrated" - name: "Pre-upgrade | etcd3 upgrade | see if data was already migrated"
command: "{{ bin_dir }}/etcdctl --endpoints={{ etcd_access_addresses }} get --limit=1 --prefix=true /registry/minions" command: "{{ bin_dir }}/etcdctl --endpoints={{ etcd_access_addresses }} get --limit=1 --prefix=true /registry/minions"

View file

@ -60,4 +60,5 @@
name: kubelet name: kubelet
enabled: yes enabled: yes
state: started state: started
ignore_errors: "{{ ansible_check_mode }}"
tags: kubelet tags: kubelet

View file

@ -83,6 +83,7 @@
no_log: true no_log: true
register: master_cert_data register: master_cert_data
check_mode: no check_mode: no
ignore_errors: "{{ ansible_check_mode }}"
delegate_to: "{{groups['kube-master'][0]}}" delegate_to: "{{groups['kube-master'][0]}}"
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
inventory_hostname != groups['kube-master'][0] inventory_hostname != groups['kube-master'][0]
@ -115,6 +116,7 @@
dest: "{{cert_tempfile.stdout}}" dest: "{{cert_tempfile.stdout}}"
owner: root owner: root
mode: "0600" mode: "0600"
ignore_errors: "{{ ansible_check_mode }}"
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
inventory_hostname != groups['kube-master'][0] inventory_hostname != groups['kube-master'][0]
@ -123,6 +125,7 @@
no_log: true no_log: true
changed_when: false changed_when: false
check_mode: no check_mode: no
ignore_errors: "{{ ansible_check_mode }}"
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
inventory_hostname != groups['kube-master'][0] inventory_hostname != groups['kube-master'][0]
notify: set secret_changed notify: set secret_changed
@ -131,6 +134,7 @@
file: file:
path: "{{cert_tempfile.stdout}}" path: "{{cert_tempfile.stdout}}"
state: absent state: absent
ignore_errors: "{{ ansible_check_mode }}"
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
inventory_hostname != groups['kube-master'][0] inventory_hostname != groups['kube-master'][0]
@ -153,6 +157,7 @@
owner: kube owner: kube
mode: "u=rwX,g-rwx,o-rwx" mode: "u=rwX,g-rwx,o-rwx"
recurse: yes recurse: yes
ignore_errors: "{{ ansible_check_mode }}"
- name: Gen_certs | target ca-certificates path - name: Gen_certs | target ca-certificates path
set_fact: set_fact:
@ -172,6 +177,7 @@
dest: "{{ ca_cert_path }}" dest: "{{ ca_cert_path }}"
remote_src: true remote_src: true
register: kube_ca_cert register: kube_ca_cert
ignore_errors: "{{ ansible_check_mode }}"
- name: Gen_certs | update ca-certificates (Debian/Ubuntu/Container Linux by CoreOS) - name: Gen_certs | update ca-certificates (Debian/Ubuntu/Container Linux by CoreOS)
command: update-ca-certificates command: update-ca-certificates

View file

@ -40,6 +40,7 @@
shell: "(find {{ kube_token_dir }} -maxdepth 1 -type f)" shell: "(find {{ kube_token_dir }} -maxdepth 1 -type f)"
register: tokens_list register: tokens_list
check_mode: no check_mode: no
ignore_errors: "{{ ansible_check_mode }}"
delegate_to: "{{groups['kube-master'][0]}}" delegate_to: "{{groups['kube-master'][0]}}"
run_once: true run_once: true
when: sync_tokens|default(false) when: sync_tokens|default(false)
@ -48,11 +49,13 @@
shell: "tar cfz - {{ tokens_list.stdout_lines | join(' ') }} | base64 --wrap=0" shell: "tar cfz - {{ tokens_list.stdout_lines | join(' ') }} | base64 --wrap=0"
register: tokens_data register: tokens_data
check_mode: no check_mode: no
ignore_errors: "{{ ansible_check_mode }}"
delegate_to: "{{groups['kube-master'][0]}}" delegate_to: "{{groups['kube-master'][0]}}"
run_once: true run_once: true
when: sync_tokens|default(false) when: sync_tokens|default(false)
- name: Gen_tokens | Copy tokens on masters - name: Gen_tokens | Copy tokens on masters
shell: "echo '{{ tokens_data.stdout|quote }}' | base64 -d | tar xz -C /" shell: "echo '{{ tokens_data.stdout|quote }}' | base64 -d | tar xz -C /"
ignore_errors: "{{ ansible_check_mode }}"
when: inventory_hostname in groups['kube-master'] and sync_tokens|default(false) and when: inventory_hostname in groups['kube-master'] and sync_tokens|default(false) and
inventory_hostname != groups['kube-master'][0] inventory_hostname != groups['kube-master'][0]

View file

@ -47,6 +47,7 @@
retries: 4 retries: 4
delay: "{{ retry_stagger | random + 3 }}" delay: "{{ retry_stagger | random + 3 }}"
changed_when: false changed_when: false
ignore_errors: "{{ ansible_check_mode }}"
tags: [hyperkube, upgrade] tags: [hyperkube, upgrade]
- name: Calico | Copy cni plugins from calico/cni container - name: Calico | Copy cni plugins from calico/cni container
@ -56,6 +57,7 @@
retries: 4 retries: 4
delay: "{{ retry_stagger | random + 3 }}" delay: "{{ retry_stagger | random + 3 }}"
changed_when: false changed_when: false
ignore_errors: "{{ ansible_check_mode }}"
when: overwrite_hyperkube_cni|bool when: overwrite_hyperkube_cni|bool
tags: [hyperkube, upgrade] tags: [hyperkube, upgrade]
@ -77,6 +79,7 @@
delay: 5 delay: 5
delegate_to: "{{groups['etcd'][0]}}" delegate_to: "{{groups['etcd'][0]}}"
run_once: true run_once: true
ignore_errors: "{{ ansible_check_mode }}"
- name: Calico | Check if calico network pool has already been configured - name: Calico | Check if calico network pool has already been configured
command: |- command: |-
@ -103,6 +106,7 @@
environment: environment:
NO_DEFAULT_POOLS: true NO_DEFAULT_POOLS: true
run_once: true run_once: true
ignore_errors: "{{ ansible_check_mode }}"
when: not legacy_calicoctl and when: not legacy_calicoctl and
("Key not found" in calico_conf.stdout or "nodes" not in calico_conf.stdout) ("Key not found" in calico_conf.stdout or "nodes" not in calico_conf.stdout)
@ -151,11 +155,13 @@
- set_fact: - set_fact:
calico_pools: "{{ calico_pools_raw.stdout | from_json }}" calico_pools: "{{ calico_pools_raw.stdout | from_json }}"
run_once: true run_once: true
ignore_errors: "{{ ansible_check_mode }}"
- name: Calico | Check if calico pool is properly configured - name: Calico | Check if calico pool is properly configured
fail: fail:
msg: 'Only one network pool must be configured and it must be the subnet {{ kube_pods_subnet }}. msg: 'Only one network pool must be configured and it must be the subnet {{ kube_pods_subnet }}.
Please erase calico configuration and run the playbook again ("etcdctl rm --recursive /calico/v1/ipam/v4/pool")' Please erase calico configuration and run the playbook again ("etcdctl rm --recursive /calico/v1/ipam/v4/pool")'
ignore_errors: "{{ ansible_check_mode }}"
when: ( calico_pools['node']['nodes'] | length > 1 ) or when: ( calico_pools['node']['nodes'] | length > 1 ) or
( not calico_pools['node']['nodes'][0]['key'] | search(".*{{ kube_pods_subnet | ipaddr('network') }}.*") ) ( not calico_pools['node']['nodes'][0]['key'] | search(".*{{ kube_pods_subnet | ipaddr('network') }}.*") )
run_once: true run_once: true
@ -203,6 +209,7 @@
name: calico-node name: calico-node
state: started state: started
enabled: yes enabled: yes
ignore_errors: "{{ ansible_check_mode }}"
- name: Calico | Disable node mesh - name: Calico | Disable node mesh
shell: "{{ bin_dir }}/calicoctl config set nodeToNodeMesh off" shell: "{{ bin_dir }}/calicoctl config set nodeToNodeMesh off"